Alexander Fortin
2011-Jun-15 12:43 UTC
[Puppet Users] Can a node access a not-imported module''s files?
Hi folks, I''ve finally found the time (and the will!) to test puppet and thanks to this ml and other great resources like docs.puppetlabs.com and #puppet on freenode, I must admit it''s much easier than what I thought. It''s evident this is a great community indeed, nice job everyone! I''ve got a doubt and I wasn''t able to find documentation about, so I thought it was time to try out this ML too: I''d like to manage sensitive data like PEM certs (to manage openvpn services for instance) and I''m puzzled by this doubt: is it possible for a client to "steal" information from the master? I mean, can mynode see modules/mymodule/files/mysecretfile even if the node ''mynode'' is not including that module? -- Alexander Fortin http://about.me/alexanderfortin/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
2011-Jun-15 14:54 UTC
Re: [Puppet Users] Can a node access a not-imported module''s files?
On Wed, Jun 15, 2011 at 5:43 AM, Alexander Fortin < alexander.fortin@gmail.com> wrote:> Hi folks, I''ve finally found the time (and the will!) to test puppet and > thanks to this ml and other great resources like docs.puppetlabs.com and > #puppet on freenode, I must admit it''s much easier than what I thought. It''s > evident this is a great community indeed, nice job everyone! > > I''ve got a doubt and I wasn''t able to find documentation about, so I > thought it was time to try out this ML too: I''d like to manage sensitive > data like PEM certs (to manage openvpn services for instance) and I''m > puzzled by this doubt: is it possible for a client to "steal" information > from the master? I mean, can mynode see modules/mymodule/files/mysecretfile > even if the node ''mynode'' is not including that module?By default, yes. It is possible to construct an API call to access fileserver data that hasn''t been explicitly assigned to that node. However you can construct your own ACLs to restrict access to certain files using auth.conf http://docs.puppetlabs.com/guides/rest_auth_conf.html For such data, I would create a specific module or custom fileserver mount, and restrict access to it explicitly. http://docs.puppetlabs.com/guides/file_serving.html -- Nigel Kersten Product, Puppet Labs @nigelkersten -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Luke Bigum
2011-Jun-15 14:58 UTC
[Puppet Users] Re: Can a node access a not-imported module''s files?
On Jun 15, 1:43 pm, Alexander Fortin <alexander.for...@gmail.com> wrote:> I''ve got a doubt and I wasn''t able to find documentation about, so I > thought it was time to try out this ML too: I''d like to manage sensitive > data like PEM certs (to manage openvpn services for instance) and I''m > puzzled by this doubt: is it possible for a client to "steal" > information from the master? I mean, can mynode see > modules/mymodule/files/mysecretfile even if the node ''mynode'' is not > including that module?Yes, I believe you can if you know how, unless it''s changed very recently. It was discussed a while ago, and if I remember correctly, all you need is a valid Puppet certificate to access any "Files" (ie: puppet:///modules/$module_name/foo/bar) in any module, regardless of if the class is included on a node or not. If you''re afraid of that, you could pass your private key file content across the wire using ''content'' instead of ''source'': file { "/etc/pki/woof.pem": content => generate( [ "/bin/cat", "/etc/puppet/private/ woof.pem" ] ), } Check the correct format for generate(). That''s a terrible idea if the catalog gets written to disk anywhere. Can someone confirm?> -- > Alexander Fortinhttp://about.me/alexanderfortin/-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Alexander Fortin
2011-Jun-15 15:00 UTC
Re: [Puppet Users] Can a node access a not-imported module''s files?
On 06/15/2011 04:54 PM, Nigel Kersten wrote:> By default, yes. > > It is possible to construct an API call to access fileserver data that > hasn''t been explicitly assigned to that node. > > However you can construct your own ACLs to restrict access to certain > files using auth.conf > > http://docs.puppetlabs.com/guides/rest_auth_conf.html > > For such data, I would create a specific module or custom fileserver > mount, and restrict access to it explicitly. > > http://docs.puppetlabs.com/guides/file_serving.htmlThanks Nigel, I''ll think about that option. I''m not yet sure if it''s a better idea to keep secret files stored just on one "secure" place (say, an encrypted folder on my laptop or better) as I''m doing now, then collecting them on a server. It was more a curiosity then a real necessity, many thanks for the explanation though. -- Alexander Fortin http://about.me/alexanderfortin/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
2011-Jun-15 15:01 UTC
Re: [Puppet Users] Re: Can a node access a not-imported module''s files?
On Wed, Jun 15, 2011 at 7:58 AM, Luke Bigum <Luke.Bigum@lmax.com> wrote:> On Jun 15, 1:43 pm, Alexander Fortin <alexander.for...@gmail.com> > wrote: > > I''ve got a doubt and I wasn''t able to find documentation about, so I > > thought it was time to try out this ML too: I''d like to manage sensitive > > data like PEM certs (to manage openvpn services for instance) and I''m > > puzzled by this doubt: is it possible for a client to "steal" > > information from the master? I mean, can mynode see > > modules/mymodule/files/mysecretfile even if the node ''mynode'' is not > > including that module? > > Yes, I believe you can if you know how, unless it''s changed very > recently. It was discussed a while ago, and if I remember correctly, > all you need is a valid Puppet certificate to access any "Files" (ie: > puppet:///modules/$module_name/foo/bar) in any module, regardless of > if the class is included on a node or not. > > If you''re afraid of that, you could pass your private key file content > across the wire using ''content'' instead of ''source'': > > file { "/etc/pki/woof.pem": > content => generate( [ "/bin/cat", "/etc/puppet/private/ > woof.pem" ] ), > } > > Check the correct format for generate(). That''s a terrible idea if the > catalog gets written to disk anywhere. Can someone confirm? > >Only the agents who have been delivered that resource will end up with that data in their catalog. I should have mentioned this solution as well. Note too the file() function which lets you simply return the contents of a file without needing to jump through the hoop of using cat. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Alexander Fortin
2011-Jun-15 15:21 UTC
Re: [Puppet Users] Re: Can a node access a not-imported module''s files?
On 06/15/2011 05:01 PM, Nigel Kersten wrote:> Check the correct format for generate(). That''s a terrible idea if the > catalog gets written to disk anywhere. Can someone confirm? > > > Only the agents who have been delivered that resource will end up with > that data in their catalog. > > I should have mentioned this solution as well. > > Note too the file() function which lets you simply return the contents > of a file without needing to jump through the hoop of using cat.Yes, this sounds reasonable! @Luke: about the catalog writing danger, do you refer to the client or the master? Anyway, to make this work, eventually both client and master will store the secret somewhere, so I don''t think is an issue as far as the secret/catalog is only readable by root. -- Alexander Fortin http://about.me/alexanderfortin/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.